Canada’s electronic spy agency broke privacy laws, watchdog says

Federal watchdog says the Communications Security Establishment passed along metadata of Canadians to counterparts in the U.S., among others

OTTAWA — Canada’s secretive electronic spying agency realized in 2013 it was breaking domestic privacy rules by transferring Canadians’ data to allied countries, but the government kept the mistake under wraps for two years.

The transfers were discovered by the spy agency, the Communications Security Establishment, at a time when the questionable practices of national security agencies were being revealed by U.S. whistleblower Edward Snowden in 2013.

The agency said it quickly informed the defence minister at the time, as well as the watchdog that reviews its operations. Rob Nicholson, who was Conservative defence minister when the transfers were discovered, could not be reached for comment Thursday.

But in April 2014, at a parliamentary committee on defence issues, Nicholson said all CSE activities are conducted within the parameters of Canadian law.

“Were the commissioner ever to conclude that the agency is acting outside the law, he would be required to report this immediately to the attorney general and to me as the minister responsible for CSE,” Nicholson told the committee at the time.

“Both the chief of CSE and I take the findings of the commissioner in his reviews very seriously.”

But the findings only came to light on Thursday, after the office CSE commissioner Jean-Pierre Plouffe — an independent review body — delivered a report to Parliament. Plouffe called the data release “inadvertent.”

A high-ranking CSE official, who Thursday gave a technical briefing on the condition they not be named, described the issue as a technical glitch discovered in late 2013.

CSE suspended the program, which was sharing information with the Five Eyes alliance — a closely knit group including the U.S., U.K., Australia and New Zealand that emerged after the Second World War. The information transferred is known as metadata — commonly described as data about data, such as the origin, destination and duration of phone calls, emails, and text messages.

“We are prohibited from targeting any of our activities at Canadians or anyone in Canada for that matter, but as you can appreciate we do have a legal mandate to collect information from the global information infrastructure, for purposes of foreign signals intelligence,” the official said.

But metadata may not be as innocuous as it sounds. The former head of the National Security Agency, CSE’s American counterpart, famously pointed out that the U.S. kills people based on metadata. CSE describes metadata as the “context” of Internet and telephone data, not the “content.”

The CSE official said the Canadian information that was transferred could not be used to identify any individual Canadian, but that it broke the rules governing the agency’s information sharing regime nonetheless. While CSE downplayed the severity of the breach — saying the privacy impact was “low” — it was significant enough to prompt the first press briefing in the agency’s 70-year history.

While Internet freedom advocacy group OpenMedia lauded CSE’s suspension of the program, they said in a statement that Canadians’ privacy rights should come before the needs of foreign spy agencies.

“Today’s halt to metadata sharing should not be just a temporary pause, but the first step in a wider review of the needs and priorities of information sharing and collection among Canadian and foreign intelligence,” Laura Tribe, OpenMedia’s digital rights specialist, wrote in a statement.

“No Canadian should need to fear that their private information is being handed to foreign agencies by their own government.

CSE would not say if the data was obtained through “backbone” Internet surveillance, a practice used by electronic spy agencies to gather mass amounts of information travelling along the Internet’s physical infrastructure.

Defence Minister Harjit Sajjan, a former military intelligence officer, did not say if the new Liberal government supports this type of interception, instead saying officials could field questions on the “technical lingo.”

“The collection is done in accordance with the National Defence Act. And it’s also, one of the important aspects for Canadians to know is that this, the actual deficiency was actually identified by CSE officials themselves,” Sajjan, the minister responsible for CSE, told reporters in the House of Commons.

Sajjan said CSE would not drill down to find out exactly how many Canadians had their information transferred to Five Eyes nations because doing so would actually violate privacy laws a second time.

When asked why the breach was not disclosed earlier, Sajjan said he could not speak for the previous Conservative government.

“But I can assure you when this was brought to my attention after being sworn in as minister of national defence . . . we have taken appropriate action,” Sajjan said. “I’ve accepted all the recommendations that the (CSE) commissioner has laid out.”

NDP public safety critic Randall Garrison said Canadians do not have to choose between their security and their rights. “We need concrete measures that keep Canadians safe without eroding away our freedoms and civil liberties.”

The Toronto Star attempted to contact Nicholson, who was defence minister from July 2013 until February 2015, for this article. Emails and a telephone request for comment were not returned Thursday. Nicholson could not be found outside the House of Commons after question period, where neither the Conservatives nor the NDP raised the issue of CSE surveillance.

Plouffe, the CSE commissioner, delivered his 2014-15 report into CSE’s activities to former defence minister Jason Kenney last June. But according to Plouffe’s office, the former Conservative government declined to table the report with Parliament during the summer. The federal election further delayed the report’s release to the House of Commons.

Plouffe, whose office declined interview requests Thursday, reviewed a variety of CSE’s signals interception activities, and found they largely complied with the law. The offending metadata transfer was the only outlier, and Plouffe was satisfied with CSE’s response.

“I found that CSE took corrective actions and proactively suspended the sharing of certain types of metadata in order to protect the privacy of Canadians while developing a solution to the problems it encountered in this area,” Plouffe wrote.

“In summary, based on my review, although I do not believe these actions were conducted intentionally, they do raise legal questions that I continue to examine and address.”